You can add, edit, delete and clone rules. A rule is a condition that is checked against inbound or outbound HTTP(S) traffic. Each rule chain can have one or more rules configured, and must have at least one rule before it can be used. Figure 5 shows the Add Rule page.
Figure 5 Add Rule Page
Rules allow the administrator to employ both a positive security model and a negative security model. In a positive security model, policies are written only to allow known traffic and block everything else.
A rule has several components:
• Variables – These are HTTP protocol entities that are scanned by Web Application Firewall to help identify legitimate or illegitimate traffic. Multiple variables can be matched against the configured value in the Value field. The ‘+’ and ‘-’ buttons allow you to add variables from the Variables drop-down list or delete them from the list of selected variables. You can combine multiple variables as required to match the specified value. If multiple variables are configured, then the rule is matched if any one of the configured variables matches the target value. See the “About Variables” section on page 29 for more information about variables.
• Operators – These are arithmetic and string operators. The Not checkbox is an inversion operator used to match any value except the configured condition. See the “About Operators” section on page 32 for more information about the operators.
• Value – This entity can be a number, literal string, or a regular expression, which is compared with the scanned target. It is compared with the value of the configured variable(s) according to the specified operator.
To compare the variable(s) to more than one value, you can enter multiple values separated by spaces into the Value field, and select the Matches Keyword operator. Delimiting by spaces only works if the Matches Keyword operator is selected.
• Advanced Operations – This field allows you to apply operations beyond those supported by the Operators field, especially to enforce Anti-Evasive protection. See the “About Advanced Operations”
section on page 32 for more information about these operations.
The following sections provide detailed information about rules:
• “About the Tips/Help Sidebar” on page 29 • “About Variables” on page 29
• “About Operators” on page 32
• “About Advanced Operations” on page 32 • “Example Use Cases for Rules” on page 34 • “Deleting a Rule” on page 37
• “Cloning a Rule” on page 37
• “Adding or Editing a Rule” on page 37
About the Tips/Help Sidebar
You can select a variable in the Variables drop-down list to display more information about that variable in the Tips/Help sidebar. The sidebar explains when each variable would be used and where it is found in the HTTP protocol. An example use case is provided for each variable.
You can also select an entry in the Advanced Operations drop-down list to display more information about it in the Tips/Help sidebar.
The sidebar also provides context-sensitive search. When you click on a variable and then search for a particular keyword, the search results are only related to variables.
About Variables
Variables are HTTP protocol entities that are scanned by Web Application Firewall to help identify legitimate or illegitimate traffic. Multiple variables can be matched against the configured value in the Value field. The ‘+’ and ‘-’ buttons allow you to add variables from the Variables drop-down list or delete them from the list of selected variables.
You can combine multiple variables as required to match the specified value. If multiple variables are configured, then the rule is matched if any one of the configured variables matches the target value.
A variable can represent a single value or a collection. If a variable represents a collection, such as Parameter Values, then a specific variable within the collection can be configured by entering its name in the selection textbox to the right of the colon (:). For example, the value for the URI or Host variable is unique in each HTTP(S) request. For such variables, the selection textbox is not displayed. Other variables, such as Request Header Values and Response Header Names, represent a collection.
If you need to test the collection itself against an input, then you would leave the selection textbox empty.
However, if you need to retrieve the value of a specific item in the collection, you would specify that item in the selection textbox. For example, if you need to test if the parameter password exists in the HTTP(S) request, then you would configure the variable Parameter Names and leave the selection textbox empty.
You would set the Operator to String equals and the Value to password. But, if you want to check whether the value of the password parameter matches a particular string, such as “foo”, then you would select the Parameter Values variable and specify password in the selection text box. In the Value field, you would enter foo.
Table 2 describes the available variables.
Table 2 Variables for Use in Rules
Variable Name Collection Description
Host No Refers to the host name or the IP address in the Host header of an HTTP request. This typically refers to the host part of the URL in the address bar of your browser.
URI No Refers to the combination of path and the query arguments in a URL.
HTTP Method No Refers to the method, such as GET and POST, used by the browser to request a resource on the Web server.
HTTP Status Code No Refers to the response status from the Web server. You can use this to configure actions for various error codes from the Web server.
Parameter Values Yes Refers to the collection of all request parameter values, including the values of all query arguments and form parameters that are part of the current request.
To match against some aspect of the entire list of parameter values, such as the number of parameter values, leave the selection field empty.
To match against the value of a particular parameter, specify the name of the parameter in the selection field to the right of the colon.
Parameter Names Yes Refers to the collection of all request parameter names, including the names of all query arguments and form parameters that are part of the current request.
To match against some aspect of the entire list of parameter names, leave the selection field empty.
To match against the name of a particular parameter, specify the parameter name in the selection field to the right of the colon.
Remote Address No Refers to the client's IP address. This variable allows you to allow or block access from certain IP addresses.
Request Header Values
Yes Refers to the collection of all HTTP(S) request header values for the current request.
To match against some aspect of the entire list of request header values, leave the selection field empty.
To match against a particular header value, specify the name of the header in the selection field to the right of the colon.
For example, to block Ajax requests, select Request Header Values as the Variable, specify X-Request-With in the selection textbox, and specify ajax in the Value field.
Request Header Names
Yes Refers to the collection of all HTTP(S) request header names for the current request.
To match against some aspect of the entire list of request header names, leave the selection field empty.
To match against a particular header name, specify the name of the header in the selection field to the right of the colon.
For example, to block requests that are not referred by a trusted host, select Request Header Names as the Variable, specify Referer in the selection textbox, enter the host names or IP addresses of the trusted hosts in the Value field, select the Not checkbox and select the Matches Keyword operator.
Response Header Values
Yes Refers to the collection of all HTTP(S) response header values for the current request.
To match against some aspect of the entire list of response header values, leave the selection field empty.
To match against a particular header value, specify the name of the header in the selection field to the right of the colon.
Response Header Names
Yes Refers to the collection of all HTTP(S) response header names for the current request.
To match against some aspect of the entire list of response header names, leave the selection field empty.
To match against a particular header name, specify the name of the header in the selection field to the right of the colon.
Response Content Length
No Refers to the size of the response payload.
Response Payload No Refers to the Web page content that is displayed to the user.
Portal Hostname No Refers to the virtual host name of the SonicWALL SSL VPN portal which accepts the request from the client.
To create a rule chain that applies to a particular virtual host, one rule would match the host and another would specify other criteria for the match.
Portal Address No Refers to the IP address or virtual IP address of the SonicWALL SSL VPN portal which accepts the request from the client.
Variable Name Collection Description
About Operators
There are a number of arithmetic and string operators. The Not checkbox is an inversion operator, which results in a match for any value except the configured condition.
These operators can be used in conjunction with Advanced Operations. For example, you might use the Equals String operator with Convert to Lowercase or Normalise URI Path in Advanced Operations.
Table 3 describes the available operators for use with rules.
Table 3 Rule Operators
About Advanced Operations
Advanced operations are applied to input identified by the selected variables before the input is matched against the specified value. For instance, the String Length operation is used to compute the length of the matched input and use it for comparison. Some of the advanced operations are used to thwart attempts by hackers to encode inputs to bypass Web Application Firewall rules. You can click on an advanced operation in the list to read more information on it in the Tips/Help sidebar.
The advanced operations can be used in conjunction with regular operators. There are ten operations to choose from in the Advanced Operations field, including the None operation which leaves the input alone.
Multiple advanced operations can be selected together and individually enforced. You can select multiple operations by holding the Ctrl key while clicking an additional operation. When the None operation is selected along with other operations in your rule, the input is compared as is and also compared after decoding it or converting it with another operation.
Operator Type Description
Contains String One or more of the scanned variables contains the
content of the Value field.
Equals String String The scanned variable(s) match the alphanumeric string in the Value field exactly.
= Arithmetic The scanned variable is equal to the content of the
Value field.
> Arithmetic The scanned variable is greater than the content of the Value field.
>= Arithmetic The scanned variable is greater than or equal to
the content of the Value field.
< Arithmetic The scanned variable is less than the content of
the Value field.
<= Arithmetic The scanned variable is less than or equal to the content of the Value field.
Matches Keyword String One or more of the scanned variables matches one of the keywords in the Value field. If multiple keywords are specified, they should be separated by spaces.
Matches Regex String One or more of the scanned variables matches the regular expression in the Value field. An example of a regular expression that matches any four decimal numbers is \d{4}.
Table 4 describes the advanced operations available for use with rules.
Table 4 Advanced Operations for Rules
Operation Description
None Use the None operation when you want to compare the scanned input to the configured variable(s) and value(s) without changing the input.
String Length Use the String Length operation when the selected variable is a string and you want to compute the length of the string before applying the selected operator.
Convert to Lowercase Use the Convert to Lowercase operation when you want to make
case-insensitive comparisons by converting the input to all lowercase before the comparison. When you use this operation, make sure that strings entered in the Value field are all in lowercase.
This is an anti-evasive operation to prevent hackers from changing case to bypass the rule.
Normalise URI Path Use the Normalise URI Path operation to remove invalid references, such as back-references (except at the beginning of the URI), consecutive slashes, and self-references in the URI. For example, the URI
www.eshop.com/././//login.aspx is converted to www.eshop.com/login.aspx.
This is an anti-evasive operation to prevent hackers from adding invalid references in the URI to bypass the rule.
Remove Spaces Use the Remove Spaces operation to remove spaces within strings in the input before the comparison. Extra spaces can cause a rule to not match the input, but are interpreted by the backend Web application.
This is an anti-evasive operation to prevent hackers from adding spaces within strings to bypass the rule.
Base64 Decode Use the Base64 Decode operation to decode base64 encoded data before the comparison is made according to the rule.
Some applications encode binary data in a manner convenient for inclusion in URLs and in form fields. Base64 encoding is done to this type of data to keep the data compact. The backend application decodes the data.
This is an anti-evasive operation to prevent hackers from using base64 encoding of their input to bypass the rule.
Hexadecimal Decode Use the Hexadecimal Decode operation to decode hexadecimal encoded data before the comparison is made according to the rule.
This is an anti-evasive operation to prevent hackers from using hexadecimal encoding of their input to bypass the rule.
Example Use Cases for Rules
This section provides examples of positive and negative security models, as well as several examples showing the use of advanced operations to provide a deeper understanding of these anti-evasive techniques.
Example – Positive Security Model: Blocking Bad Logins
To prevent login to an Application Offloaded Web site if the length of the password is less than 8 characters, you would create a rule chain containing the following rules:
1. Select Host as the Variable and click + to add it, set the Operator to Equals String, and set Value to the Virtual Host name of the portal. This checks that the Host header of the login request matches the site you are trying to protect. In this case, the rule chain is only being applied to one site.
2. Select Parameter Value as the Variable and type password into the selection field, then click + to add the variable and selected item to the rule, set the Operator to < (less than), and set Value to 8. Select String Length in the Advanced Operations list to compute the length of the password form parameter.
URL Decode
URL Decode (Unicode)
Use the URL Decode operation to decode URL encoded strings in the input. Use the URL Decode (Unicode) operation to handle %uXXXX encoding. URL encoding is used to safely transmit data over the Internet when URLs contain characters outside the ASCII character set.
Note Do not use these operations against an input that has been decoded already.
This is an anti-evasive operation to prevent hackers from using URL encoding to bypass rules, knowing that the backend Web server can interpret their malicious input after decoding it.
For example, the URI www.eshop.com/hack+URL%3B is converted to www.eshop.com/hack URL by this operator before the comparison is made.
Trim Use the Trim operation to remove spaces before and after the input data before the comparison. Extra spaces can cause a rule to not match the input, but are interpreted by the backend Web application.
This is an anti-evasive operation to prevent hackers from adding spaces before and after the input data to bypass the rule.
Operation Description
The action for the rule chain would be set to Prevent. Figure 6 shows the rule chain for this example.
Figure 6 Example Rule Chain – Blocking Bad Logins
Example – Positive Security Model: Blocking a Form Submission with Unwanted Parameters This rule chain blocks a form submission if the form has a request parameter other than formId or if the value of formId contains more than 4 digits. To accomplish this, you would need two rule chains:
1. The first rule chain contains two rules:
– The first rule identifies the URL where the form is submitted.
– The second rule checks if Parameter Names does not match the name of the valid parameter, formId. It uses the Equals String operator with the Not inversion checkbox selected.
2. The second rule chain contains two rules:
– The first rule identifies the URL where the form is submitted.
– The second rule checks if the value contained by the Parameter Value: formId variable matches the regular expression ^\d{1,4}$ which matches anything that consists of 1 to 4 digits. The Not inversion checkbox is selected to change the rule to match anything that does not consist of 1 to 4 digits.
Example – Negative Security Model: Blocking Malicious Input to a Form
To block malicious input to a form, you would create a rule chain containing the following two rules:
1. The first rule identifies the URL for the form.
2. The second rule identifies the form parameter, shell_cmd and the bad input, traceroute.
Example – Using URL Decode and None
If a hacker perceives that a Request URI is being scanned for CR and LF characters (carriage return and line feed), the hacker may attempt to sneak those characters into the request by performing URL encoding on the characters before adding them to the request. The URI will then contain %0D and %0A characters, which could be used to launch an HTTP response splitting attack. The URL Decode and/or URL Decode (Unicode) operations can be used to thwart this type of attack by decoding the scanned input before comparing it against the configured value(s) to check for a match.
Specifically, if a request is made to the URI http://www.host.com/foo%20bar/ and the URL Decode operation is selected, the scanned URI becomes http://www.host.com/foo bar/ after decoding, which can now be safely matched. To thwart a hacker who sends a non-encoded request in addition to the encoded one, the administrator can select the None and the URL Decode options in the rule.
Example – Using Convert to Lowercase and URL Decode with Parameter Values
Example – Using Convert to Lowercase and URL Decode with Parameter Values